DMV Impersonation Scam, Scania Insurance Breach, Cock.li Records Exposed – Cybersecurity News [June 16, 2025]
Cyberattacks and data breaches continue to hit hard this week! A scam targeting U.S. residents through fake DMV messages is harvesting sensitive data. At the same time, separate breaches have exposed insurance documents at Scania, journalist accounts at The Washington Post, and over a million records from Cock.li’s email service is included. WestJet Airlines is also facing internal disruptions due to a cyberattack. Here’s a quick breakdown of the most important incidents and how to stay safe.
Phishing Scams Impersonating DMV Target U.S. Citizens for Personal Data
There’s a new phishing scam tricking people in the U.S. by pretending to be messages from their local DMV, warning them about fake toll violations, and stealing their personal information.
Threat actors have been sending such fake text messages since May. They look like they are from state motor vehicle departments and warn about unpaid tolls and threaten legal action or license suspension if people do not respond. They also use made-up legal codes to sound official and lead to websites that impersonate official DMV sites. Victims are first asked to pay a small fee, usually $6.99, then prompted to enter personal details like their name, address, email, phone number, and full credit card information.
Check Point researchers found that the scam used a common setup for all states, hosted on suspicious domains using low-cost extensions like .cfd and .win. The websites share identical files and even code. Over 2,000 complaints have already been sent to the FBI’s Internet Crime Complaint Center, and many state agencies have issued warnings.
Users are urged to avoid clicking on unknown links in texts and verify toll-related messages directly with their state’s official DMV website.
Scania Discloses Insurance Data Breach Linked to Extortion Effort
This week, Scania also confirmed a cyberattack that targeted its Financial Services systems and led to the theft of insurance claim documents.
The breach occurred when threat actors used login credentials from an external IT partner to access Scania’s insurance platform, “insurance.scania.com.” These credentials were likely stolen using password-stealing malware. Once inside, they downloaded documents linked to insurance claims, which may include personal, financial, or medical details. Shortly after, the organizational employees began receiving emails from a ProtonMail address, with the attacker threatening to release the stolen data unless demands were met.
On the other hand, the hacker, known online as “Hensi,” has offered the stolen data for sale on a cybercrime forum (i.e., Dark Web), claiming exclusive access to documents from the Scania insurance domain. Some sample files were also leaked. The organization confirmed the incident and clarified that the compromised system had been taken offline and that an internal investigation was underway.
Scania continues to review the situation. Users and partners are advised to monitor their accounts and practice good password hygiene.
Cock.li Webmail Breach Exposes 1 Million User Records
Cock.li, a free email service, has confirmed a major data breach affecting over a million users after attackers exploited a flaw in its old Roundcube webmail system.
The breach impacted everyone who logged into Cock.li since 2016, which is about 1,023,800 users. It exposed email addresses, login timestamps, failed login attempts, language preferences, and a block of saved Roundcube settings and email signatures. But that’s not all; around 10,400 users were affected more than the rest, as the breach also revealed third-party contact names, email addresses, vCards, and comments. However, no passwords, email content, or IP addresses were compromised, as they were not stored in the affected databases.
The incident followed unexplained service disruptions and was later confirmed when a hacker began selling two stolen Cock.li databases online for at least one Bitcoin. Cock.li, known for its privacy stance and independent operation since 2013, acknowledged the issue and stated the attack likely happened through a known Roundcube vulnerability, CVE-2021-44026. The service has since removed Roundcube permanently, admitting they should not have been using it in the first place.
It has been recommended to the users to kindly reset their passwords and switch to using email clients via IMAP or SMTP for safer access.
Washington Post Email Breach Compromises Journalist Accounts
Several journalists at The Washington Post had their email accounts hacked this week in what is believed to be a cyberattack.
The breach was discovered on a Thursday evening, and by Sunday, June 15, staff were notified through an internal memo of a possible targeted intrusion in the newspaper’s email system. The memo, signed by Executive Editor Matt Murray, confirmed that a limited number of Microsoft accounts were affected. The attack mainly focused on journalists who report on national security and economic policies.
Experts suggest the method used may be tied to advanced persistent threats, which are often backed by nation-states and known to exploit Microsoft Exchange systems. These attacks often rely on vulnerabilities in the Exchange servers. Microsoft and security firms like ESET have tracked such activity in the past as well, linking it to well-known hacker groups using zero-day exploits.
However, The Washington Post has not yet released public details about the threat actor behind the cyberattack. Users should update software regularly and avoid opening suspicious emails to stay protected.
WestJet Probes Cyberattack Affecting Internal Operations
WestJet is also investigating a cyberattack that has affected many of its internal systems and disrupted access to both its website and the mobile application.
It is one of the most prominent airlines in Canada, and the cyberattack is restricting users from logging into their accounts. The organization has already activated its internal security teams and is working with law enforcement and Transport Canada to look into the issue and reduce the damage. They stated that the safety of their operations and protecting sensitive information related to both passengers and employees is their top priority. Additionally, a formal apology has been intended to the customers for the inconvenience caused.
Although access to websites and apps is being restored, some internal tools and services are still experiencing issues. The nature of the attack remains unclear, and it is not yet known if the systems were encrypted by ransomware or intentionally shut down by the airline as a precaution because WestJet has not responded to media queries about the details of the breach so far.
Operations remain safe, but passengers should keep an eye on official updates and avoid clicking on suspicious links.
Implementing SPF, DKIM, and DMARC protocols can significantly strengthen email security and help mitigate phishing, spoofing, and data breach risks across organizations.